CVE-2026-24315

4.2 MEDIUM

SAP Fiori Launchpad allows attackers to craft malicious URLs that triggers arbitrary service calls on the Fiori domain, this when opened ...

Published: 2026-06-09 · Last updated: 2026-06-09

Severity and scoring

CVSS: 4.2 MEDIUM
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
CWE: CWE-35

Description

SAP Fiori Launchpad allows attackers to craft malicious URLs that triggers arbitrary service calls on the Fiori domain, this when opened by the user could compromise accounts by stealing user credentials. Successful exploitation requires adversaries to possess advanced knowledge of the system causing low impact on Confidentiality and Integrity. Availability of the system is no impacted.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-24315
[Other]https://me.sap.com/notes/3682699
[Other]https://url.sap/sapsecuritypatchday

Related CVEs

Same CWE

CVE-2026-40128 — SAP NetWeaver Application Server Java (Web Container) allows an unauthenticated attacker to craft a malicious HTTP logon request that man... (9.0 CRITICAL)
CVE-2026-45661 — Dokploy is a free, self-hostable Platform as a Service (PaaS) (9.9 CRITICAL)
CVE-2026-44933 — `PluginScript` attempts to `chroot` the plugin to the `repoManagerRoot`, this root is frequently `/` (the system root) in standard config... (7.8 HIGH)
CVE-2026-45495 — Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability (8.8 HIGH)
CVE-2026-7302 — SGLangs multimodal generation runtime is vulnerable to an unauthenticated path traversal vulnerability, allowing an attacker to write arb... (9.1 CRITICAL)